Document Retention: What to Keep and for How Long

How long should you keep client documents? The answer affects storage costs, breach risk, and regulatory compliance. Keep documents too short and you face liability; keep them too long and you maintain unnecessary risk while consuming storage resources.

This guide covers document retention requirements for accounting practices, balancing legal obligations with practical risk management.

Why Retention Policies Matter

The Competing Pressures

Document retention involves balancing opposing concerns:

Keep longer for protection. Having documents available supports defense against claims and enables response to client questions or audit inquiries years later.

Keep shorter for risk reduction. Every stored document is a breach liability. You cannot lose or expose what you do not have.

Keep organized for efficiency. Regardless of duration, organized retention enables retrieval when needed.

A thoughtful retention policy balances these concerns based on document type and applicable requirements.

Regulatory Landscape

Multiple regulatory frameworks affect document retention:

Federal tax requirements establish minimum retention for tax-related records.

State professional regulations often impose retention requirements on licensed accountants.

Industry standards, including international accounting standards and the international accounting standard framework, may affect records related to financial statement preparation.

Contractual obligations in engagement letters may create retention commitments.

Understanding these overlapping requirements is essential for compliant retention policies.

Federal Tax Record Requirements

General Retention Periods

The IRS generally requires taxpayers to keep records supporting their returns for three years from filing date. However, extended periods apply in many situations:

Six years if income was underreported by more than 25%.

Seven years if worthless security or bad debt deduction was claimed.

Indefinitely if no return was filed or if a fraudulent return was filed.

For accountants holding client records, the three-year minimum is rarely sufficient given extended assessment periods and potential claim situations.

Specific Document Categories

Some documents warrant extended retention:

Property records: Basis documentation should be retained for as long as the property is owned plus the applicable assessment period after sale.

Employment records: Various IRS and Department of Labor requirements mandate retention of payroll records for four to seven years.

Business entity records: Formation documents, meeting minutes, and similar records should be retained for the life of the entity plus assessment periods.

Match retention periods to document types for appropriate protection.

Practical Recommendations

For most tax-related client documents, practical recommendations exceed minimums:

Individual tax returns and supporting documents: Seven years from filing date.

Business tax returns and supporting documents: Seven years from filing date.

Payroll records and tax deposits: Seven years.

Property basis documentation: Duration of ownership plus seven years.

The seven-year standard covers most extended assessment situations while avoiding indefinite retention.

State Requirements

Professional Regulations

State boards of accountancy often impose document retention requirements on licensees. These vary by state but commonly require:

Retention of workpapers supporting professional services for five to seven years.

Client record availability upon request for specified periods.

Specific retention for audit documentation.

Check your state board's requirements, as violations can affect licensure.

State Tax Considerations

State tax assessment periods may differ from federal:

Some states have longer assessment periods than the IRS.

State-specific credits or incentives may have their own documentation requirements.

Multi-state situations create overlapping retention obligations.

If you serve clients in multiple states, apply the longest applicable retention period.

Industry Standards

Audit Documentation

For practices performing audits, specific retention requirements apply:

PCAOB rules require audit documentation retention for seven years from the audit report date for public company audits.

Peer review standards may require documentation availability for review purposes.

Financial accounting standards board pronouncements may reference documentation expectations.

Audit practices should implement robust retention aligned with professional standards.

Compilations and Reviews

Compilation and review engagements have documentation requirements:

AICPA standards require retention of documentation supporting these services.

Many state boards apply similar retention requirements as for audit documentation.

Engagement letters should address documentation retention expectations.

Tax Preparation

Tax preparer regulations impose specific requirements:

IRS regulations require tax preparers to retain return copies or lists and records of taxpayers for three years.

State regulations often extend these requirements.

AICPA standards provide additional guidance for member CPAs.

Developing Your Retention Policy

Document Classification

Create a classification system that maps documents to retention periods:

Class A: Permanent retention (entity formation documents, certain legal records).

Class B: Extended retention—10+ years (property basis, complex transaction documentation).

Class C: Standard retention—7 years (most tax returns and supporting documents).

Class D: Limited retention—3-5 years (routine correspondence, superseded documents).

Classification simplifies retention decisions by providing clear categories.

Retention Schedule

Document specific retention periods for each document type your practice handles:

Individual tax returns and workpapers: 7 years from filing.

Business tax returns and workpapers: 7 years from filing.

Audit documentation: 7 years from report date (PCAOB) or as required by applicable standards.

Compilation/review documentation: 7 years from report date.

Engagement letters: Duration of engagement plus 7 years.

Client correspondence: 7 years from date.

Internal administrative records: 5 years.

Customize this schedule for your practice's services and jurisdictions.

Exception Handling

Some situations warrant deviation from standard retention:

Litigation hold: When litigation is anticipated or pending, relevant documents must be preserved regardless of standard retention.

Regulatory investigation: Preserve documents relevant to any investigation.

Client request: Some clients may request extended retention.

Complex transactions: Unusual matters may warrant longer retention.

Document exception processes to ensure proper handling.

Implementation Considerations

Electronic vs Physical Documents

Modern practices have both electronic and physical documents:

Electronic documents are easier to store long-term and search when needed.

Physical documents require space and organization.

Digitization converts physical to electronic, reducing physical storage while enabling longer retention of electronic copies.

Most practices are moving toward primarily electronic retention with limited physical document retention.

Storage Security

Retention requires secure storage:

Access controls limiting who can access stored documents.

Encryption protecting documents at rest.

Backup systems preventing data loss.

Physical security for any remaining paper files.

Security requirements do not diminish as documents age.

Destruction Processes

When retention periods expire, destruction should be secure and documented:

Shredding for physical documents.

Secure deletion for electronic files (not just moving to trash).

Destruction logs documenting what was destroyed and when.

Verification that backup copies are also addressed.

Many of the largest accounting firms have formal destruction processes with documentation requirements.

Client Considerations

Client-Owned Documents

Distinguish between your workpapers and client documents:

Client source documents (W-2s, 1099s, etc.) belong to the client.

Your workpapers and analysis belong to you.

Copies of filed returns are typically provided to clients.

Client documents should generally be returned upon request, though you may retain copies per your policy.

Engagement Letter Provisions

Address retention in engagement letters:

"We will retain our workpapers and copies of relevant documents for seven years, after which they may be destroyed without notice. Client source documents will be returned upon completion of the engagement or earlier upon request."

Clear engagement letter language sets expectations and provides documentation of your policy.

Client Termination

When client relationships end, document handling requires attention:

Return client source documents if requested.

Retain your workpapers per retention policy.

Consider whether terminated relationships warrant different retention treatment.

Document the termination and any document disposition.

Special Situations

Merger or Acquisition

When practices merge or are acquired:

Document retention obligations transfer to the successor.

Review retention policies for consistency.

Ensure secure transfer of stored documents.

Update retention schedules for combined operations.

Practice Closure

If a practice closes entirely:

Client documents should be returned or transferred to successor practitioners.

Workpapers may need to be retained by the former owner or transferred to secure storage.

State board requirements may impose specific obligations.

Plan for post-closure document access if needed.

Deceased Practitioner

When a sole practitioner dies:

Succession planning should address document access and retention.

Estate or successor should understand obligations.

Client notification enables document requests before any disposition.

These situations warrant advance planning.

Technology and Automation

Automated Retention

Modern document management systems can automate retention:

Automatic dating when documents enter the system.

Retention rules applied based on document classification.

Alerts when retention periods expire.

Batch processing for routine destruction.

Automation reduces the risk of both premature destruction and inadvertent over-retention.

Cloud Storage Considerations

Cloud storage creates additional considerations:

Understand where data is physically stored (affects regulatory compliance).

Review vendor retention and destruction capabilities.

Ensure portability if you change vendors.

Verify that deletion actually deletes (not just removes access).

Cloud vendors should support, not undermine, your retention policies.

Backup Retention

Backups complicate retention:

Backed-up documents persist until backup media is cycled.

Document destruction from primary storage may not address backup copies.

Plan backup cycles to align with retention goals.

Consider document-level exclusion from backup for expired records.

Best Practices Summary

Policy Development

Create a written retention policy that:

Documents retention periods for each document type.

Addresses both electronic and physical documents.

Includes exception handling procedures.

Assigns responsibility for policy compliance.

Provides for regular policy review and updates.

Implementation

Implement retention through:

Consistent document classification when documents are created or received.

Secure storage appropriate to document sensitivity.

Regular review of documents approaching retention expiration.

Documented destruction with appropriate verification.

Ongoing Compliance

Maintain compliance through:

Staff training on retention requirements and procedures.

Periodic audits of retention compliance.

Updates when regulations or practice services change.

Documentation of policy and compliance for defense if questioned.

Conclusion

Document retention requires balancing legal requirements, professional standards, practical risk management, and operational efficiency. No single retention period fits all documents—thoughtful classification and appropriate retention periods for each category provide optimal protection.

Develop a written policy based on your practice's services and regulatory environment. Implement it consistently through classification, secure storage, and documented destruction. Review and update as requirements evolve.

The practices that manage retention well face both lower breach risk from over-retention and lower liability risk from premature destruction. A thoughtful approach to retention is an essential component of practice risk management.